While law minister Ravi Shankar Prasad has warned Facebook co-founder Mark Zuckerberg that he will not hesitate to summon him to India in case the data of Indians is stolen in the manner that Cambridge Analytica did with that of 50 million Americans, what India really needs is to fast-forward its own privacy law that will deal with issues like this. Indeed, even before the Cambridge Analytica issue blew up, India had been dealing with privacy activists campaigning against the information Aadhaar has. While this newspaper has consistently argued that Aadhaar’s core database of biometrics is secure and that Aadhaar does not collect data on what you purchase, etc, there have been several instances of data sought at the time of enrolment—name, age, address, mobile, email—leaking; no one has alleged biometric data leaking.
This has happened either from agencies nominated by Aadhaar to collect the data or by government departments responsible for making subsidy/pension/welfare payments linked to Aadhaar numbers of beneficiaries; some government departments have, in the interests of transparency, even made public the details of the bank accounts to where the money was transferred. While the Aadhaar Act already deals with information leaks, a tough privacy law will make the information a lot more secure.
In the context of Cambridge Analytica, a tough privacy law—Justice BN Srikrishna’s final draft is expected soon now that the consultation phase is over—will put in place rules for how data is to be collected and used/shared. While Cambridge Analytica shocked most, the fact is that almost every app you download wants to have access to your address book, calendar, location, etc. Should this be allowed? It is critical for Uber to know where you are in order to send a cab, but does it need to store this information or pass it on to someone else who will target you with, say, advertisements based on the places you visited? PayTM needs access to your contacts to be able to make payments to them, but it should be restricted to just that; and, more important, should you choose not to give access, in most cases, the apps simply don’t work.
So, what is needed is a system where a minimum amount of information is collected and the user be told for what it is being collected—we, at Google, will machine-read your e-mail, a possible consent form might say, only so that we can send you targeted ads, but your data will never be revealed to a third party. And, as Srikrishna said in the consultation paper, the consent forms need to be short and clear, to prevent ‘consent fatigue’. There are also issues around whether the data collected by a Facebook about Indians should reside in Indian servers or can they be located in the US? And since privacy concerns will keep evolving, based on how organisations like Facebook-Cambridge Analytica abuse privacy, it is important to let the system be flexible enough to respond to most eventualities.
That is why, Srikrishna had suggested a Data Protection Authority to draw up guidelines for each organisation—like a WhatsApp or a Google—to follow, and a Data Protection Officer in each organisation whose job would be to ensure the guidelines are followed; if, for instance, the Authority says most apps don’t need access to your phone records, it will need to ensure this is being followed. The Authority could also conduct Data Protection Impact studies and assign Trust Scores to each app/organisation, there could even be a Consent Dashboard, where users can see where their data is being used.